System and method of secure garbage collection on a mobile device

ABSTRACT

A method and system for performing garbage collection involving sensitive information on a mobile device. Secure information is received at a mobile device over a wireless network. The sensitive information is extracted from the secure information. A software program operating on the mobile device uses an object to access the sensitive information. Secure garbage collection is performed upon the object after the object becomes unreachable.

RELATED CASE

This application claims the benefit of and priority to U.S. ProvisionalPatent Application Ser. No. 60/365,515, filed Mar. 20, 2002, the entiredisclosure of which is incorporated herein by reference.

BACKGROUND

1. Technical Field

This invention relates generally to mobile devices and more particularlyto secure memory techniques on a mobile device.

2. Description of the Related Art

Many known mobile devices support objects, such as by using Java tosend, receive, or at least use data, voice, and/or multi-media(audio/video). These objects may be involved in sensitive informationfrom cellular networks and with many different services. However,garbage collection operations presently performed on mobile devices havesecurity deficiencies.

A non-limiting example of the deficiencies includes collection ofunreachable objects. For example, FIG. 1 shows a typical state of a heapbetween garbage collections of unreferenced objects. A typical garbagecollector waits until memory becomes low before collecting unreachableobjects. Thus, an object may become unreachable well before it iscollected. This creates an unpredictable window of opportunity for anattack, especially if the memory recovery itself is not secure.

SUMMARY

In accordance with the teachings disclosed herein, a secure garbagecollection system is provided which includes a microprocessor, and anaddressable storage, having a heap and a secure garbage collectionsoftware module capable of calling a wipe function. When the securegarbage collection software module has detected that objects in the heapare unreachable, it securely reclaims the memory they were using bycalling the wipe function.

In another embodiment, the secure garbage collection may be triggered inmany different ways, including but not limited to the steps of: waitingfor a trigger, performing subsequent steps for all secure applications,requesting that a secure application unreference sensitive objects,perform secure garbage collecting, and determine if all secureapplications have been processed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows the state of a typical heap between unreferenced objectsusing a known garbage collector;

FIG. 2 is a block diagram showing an exemplary secure garbage collectionsystem according to an embodiment of the invention;

FIG. 3 a is a block diagram illustrating in greater detail the physicalview of an example addressable storage of FIG. 2, featuring objects inRAM and Flash in an exemplary cryptographic message viewing application.

FIG. 3 b is a block diagram illustrating the logical view of FIG. 3 a;

FIG. 4 is a flow diagram showing an example method of triggering securegarbage collection on a mobile device according to an embodiment of theinvention;

FIG. 5 is a flow diagram showing an example method of secure garbagecollection whereby unreferenced objects are securely garbage collectedaccording to an embodiment of the invention;

FIG. 6 is a block diagram illustrating software components for use insecure garbage collection on a mobile device; and

FIG. 7 is a schematic diagram of an exemplary wireless device'scomponents.

DETAILED DESCRIPTION

With reference now to the Figures, FIG. 2 is a block diagram showing anexemplary secure garbage collection system 300. The system 300 amongother things secures sensitive information, which may exist on its own,may arise from Personal Information Management (PIM), or may arise fromcommunications such as voice and/or video calls, short messaging service(SMS) communication, e-mail messaging, web page communication, andwireless access protocol (WAP) communication. The system 300 enablessecure decryption techniques and secure persistent storage techniques.Many different types of mobile devices may utilize system 300, such aspersonal digital assistants, mobile communication devices, cellularphones, and wireless two-way communication devices, as well as in anydevice that has sensitive information.

The exemplary secure garbage collection system 300 of FIG. 2 includes amicroprocessor 110, and an addressable storage 120 connected tomicroprocessor 110 by a data bus 130. The addressable storage 120 storesmicroprocessor software modules 140, heap 150 and reference table 160.

Microprocessor software 140 includes a native wipe function 170. Thenative wipe function 170 can obliterate the data in a portion ofaddressable storage 120. Suitable functions in the ‘C’ programminglanguage is the function ‘memset( )’, which could be used to write overdata with all zeroes, all ones, or with random data to thwartsophisticated memory recovery techniques. Microprocessor software 140also may include virtual machine software 200, having a secure garbagecollector software module 205 capable of using native wipe function 170,as well as being able to access objects in heap 150 via reference table160. Such software 140 may be used in many different implementationenvironments, such as object-oriented environments (e.g., Java).

Virtual machine software 200 is capable of interpreting virtual machineinstructions found in software modules 210. A specific virtual machinesoftware module (e.g., secure viewer application 220) is shown, and willbe used as an example application which uses secure garbage collectiontechniques.

Secure viewer application 220, when executed by virtual machine software200, results in viewer object 10V being allocated in heap 150,accessible via its corresponding @V 35V entry in reference table 160.Viewer object 10V could be, for instance, a user interface object whichdisplays sensitive information in a sensitive object, such as object10S. Viewer object 10V preferably dynamically generates sensitive object10S from secure object 70E by authentication in viewer application 220.

For instance, if secure object 70E is an S/MIME encrypted message, thensensitive object 10S is a clear unencrypted version of the S/MIMEmessage, dynamically generated by secure viewer application module 220,in this case an S/MIME e-mail viewer application, preferably byobtaining and applying a private key to encrypted S/MIME message object70E.

Heap 150 may be partitioned so that sensitive objects, such as object10S are distinguishable from secure objects, such as object 70E, asillustrated by regions 152 and 157 which respectively bound sensitiveand secure portions of heap 150. It should be understood that manydifferent partitioning configurations (or none at all) are possible withrespect to handling sensitive and secure objects in order to fit thesituation at hand.

Also shown is a portion of heap 150 which is unreachable, illustrated byregion 155. Region 155 contains objects 10V′, 10S′ and 70E′ which are nolonger referenced by other objects, and as such, are suitable forgarbage collection. Notice that object 10S′ is both unreachable andsensitive, object 70E′ is both unreachable and secure, whereas object10V′ is only unreachable.

Returning to the S/MIME viewer application 220 example, objects 10V′,10S′ and 70E′ are unreachable, for instance if the S/MIME viewerapplication stopped displaying viewer 10V′ in response to a deletemessage user interface command. Thus, if viewer 10V′ was the only objecthaving references to sensitive object 10S′ and 70E, when the referenceto 10V′ is lost, all three objects are candidates for garbagecollection. Notice however that object 70E, although referenced byviewer 10V′, is still reachable and secure (e.g. encryptedS/MIME—perhaps because it was the previous message viewed by viewer 10V′and was not deleted by the user).

Secure garbage collector module 205, once it has detected that objects10V′, 10S′ and 70E′ are unreachable, securely reclaims the memory theywere using by calling native wipe function 170 to wipe, at least object10S′, as well as optionally objects 10V′ and 70E′. Optionally, allgarbage collections use the wipe native function 170 thereby treatingall objects as sensitive.

With reference to FIGS. 3 a and 3 b, FIG. 3 a is a block diagramillustrating in greater detail the physical view of an exampleaddressable storage of FIG. 2, featuring a reference table, a viewerobject in RAM, a persistent encrypted object in Flash, and a transientsensitive object in RAM, in an exemplary cryptographic message viewingapplication.

FIG. 3 b is a block diagram illustrating the logical view of FIG. 3 a.Both are described next.

An object 10V that references object 10S and object 70E, are illustratedas they might appear somewhere in RAM 20 or Flash 80.

Also illustrated is a reference table 30, situated somewhere in RAM 20.The reference table 30 has several storage elements (35V, 35S, 35E) of afixed size “w” 37 to simplify the indexed access to storage elements.Each used storage element (35V, 35S, 35E) corresponds to an object (10V,10S, 70E) which are located in an addressable space, here consisting ofRAM 20 and Flash 80. For example object V 10V finds correspondence withstorage element index “v” 35V, object E 70E finds correspondence withstorage element index “e” 35E, whereas object S 10S finds correspondencewith storage element index “s” 35S. The addresses (40V, 40S, 90E) ofcorresponding objects (10V, 10S, 70E) are stored in storage elements(35V, 35S, 35E) so that knowing the index of an object in the referencetable 30 it is possible to obtain the address (40V, 40S, 90E) of anobject (10V, 10S, 70E) respectively, This is done by first obtaining theaddress @R 50 of the reference table 30. Then, given an object'sreference, such as “s” 55S for the example V object 10V, the address ofthe storage element @(R+v*w) 60V can be obtained by multiplying theindex 55V “v” by the size “w” 37 of each storage element.

Since the “v” storage element 35V holds the address of the correspondingobject V 10V, resolving the contents of the storage element 35V providesthe address @V 40V of object V 10V in RAM 20. Similarly, the “s” storageelement 35S, when resolved provides the address @S 40S of object 10S inRAM 20, and the “e” storage element 35E points to an address @E 90E ofobject 70E in Flash 80. Also shown is how each object (10V, 10S, 70E)contains within its format its “this reference” (55V, 55S, 55E) relatedto the reference table 30. Also shown is how, object V 10V containswithin its format a reference “E” 65E to object E 70E, and a reference“S” 65S to object S 10S. This allows a runtime context within the scopeof object V 10V to be able to access objects E 70E and 10S in the sameway, regardless of the fact that object E 70E is situated at an address90E in Flash 80 and objects V 70A is in RAM 20.

Object 10V could be a Secure Multipurpose Internet Mail Extensions(S/MIME) viewer, in which case object 70E could be a persisted (S/MIME)encrypted message, and object 10S could be the sensitive decryptedversion of encrypted message 70E. Viewer object 10V could have generatedsensitive object 10S from encrypted object 70E at the request of andafter authenticating the user of viewer 10V—that is, the intendedrecipient of the S/MIME message.

With reference to FIG. 4, FIG. 4 depicts a flow diagram showing anexample method of triggering secure garbage collection on a mobiledevice. Step 410 includes waiting for a trigger. Any parametersassociated with a trigger could be loaded from storage 120 viaconfiguration 402. A trigger can result from many different events, suchas but not limited:

-   -   405I is a timeout event, which may occur when the mobile device        is left idle;    -   405H is a holstered or cradled event, which may occur when the        user, or an attacker, either places or removes the device from        its holster (if so equipped) or cradle (if so equipped).    -   405L is a screen lock or user lock event, which may occur due to        any number of reasons, such as when a user enters a password at        a lock screen, or when a user expressly locks the device or        screen;    -   405A is an application event, such as when a viewer has stopped        displaying a sensitive object. In the case of S/MIME, messages        are preferably kept secure (encrypted) and are decrypted only if        viewed. However, a configuration parameter could be used to age        the decrypted message before causing a secure garbage collection        trigger to give the user the opportunity to view a message,        close it, and re-open it within a narrow time out period.    -   405R is a roll back trigger, which can occur whenever the system        clock (if so equipped) or a time zone has been altered. A        configuration parameter could be used to specify the specific        cases.    -   405E is a transceiver event, which can occur if the mobile        device communicates (if so equipped), for instance over a        wireless network. For example, when communicating using S/MIME,        or while browsing using SSL or TLS, caches may be securely        garbage collected.

Step 420 includes performing subsequent steps for all secureapplications. Secure applications may be selected by configuration, ormay include all applications.

Step 430 includes requesting that a secure application unreferencesensitive objects. Thus, this step helps ensure that the window ofopportunity of an attacker is greatly limited in secure applicationsregardless of the trigger.

Step 440 includes securely garbage collecting. This step at leastincludes calling the native wipe function call, but may also includeother actions, such as, but not limited to, cleaning out the systemclipboard (if so equipped and configured). An exemplary method to carryout this step is discussed below with reference to FIG. 5.

Step 450 includes determining if all secure applications have beenprocessed. If all secure applications are clean (e.g., applications haveno references to sensitive objects), then steps 430 and 440 are repeatedfor the remaining secure applications. Alternatively, if all secureapplications are clean, then step 410 ensues and the method begins anew.

It is noted that the method of FIG. 4 may be implemented as a “Daemon”application for the virtual machine.

With reference to FIG. 5, FIG. 5 is a flow diagram showing an exemplarymethod of secure garbage collection whereby unreferenced objects aresecurely garbage collected.

The method 500 of FIG. 5 may be used to carry out step 440 of FIG. 4.Step 510 includes collecting unreferenced objects. This step may receivean indication, for instance via configuration information 502, such aswhich trigger caused the garbage collection in the method 400 of FIG. 4.For example, if an S/MIME viewer application was the trigger, thenunreferenced sensitive objects would preferably be collected from theheap starting near the cause of the trigger.

Step 520 includes performing subsequent steps for all unreferencedobjects in the heap. Step 530 includes determining if the unreferencedobject is sensitive. As was described in reference to FIG. 2, in apreferred embodiment, all unreferenced objects are treated as sensitive.This may also be specified in the configuration information 502. If theunreferenced object is determined to be sensitive, then step 540 ensues,followed by step 550; if not, then step 550 ensues.

Step 540 includes calling the native wipe function to obliterate thesensitive information in the unreferenced sensitive object. As wasdescribed in reference to FIG. 2, the native wipe function could be a C“memset( )” of object data to zeroes, ones, or random data. Which optionto use could be specified in configuration 502. It is also envisagedthat a non-native wipe function could be used.

Step 550 includes reclaiming object memory. This step could beaccomplished by a traditional garbage collector. By replacing all callsto the traditional garbage collector with calls to a secure garbagecollector, secure garbage collection can be enabled in many existingmethods and systems.

Step 560 includes determining if all unreferenced objects have beenreclaimed. If this is determined, then the method ends. If not, thenstep 530 ensues to continue secure garbage collection.

FIG. 6 illustrates at 600 a mobile device having a secure garbagecollection system. The mobile device 600 receives information (e.g.,secure message 602) over a wireless network 604. A software program 606operating on the mobile device 600 processes the secure message 602 suchthat a secure object is created and is stored within addressable storagememory 608 to handle the secure message 602. In this example, sensitiveinformation is extracted from the secure message 606, and a sensitiveobject is created and stored within addressable storage memory 608 inorder to handle the sensitive information.

When objects (610, 612, 614) in the addressable storage memory 608 aredetected as unreachable, a secure garbage collector module 616 securelyreclaims the memory 608 the objects (610, 612, 614) were using bycalling a wipe function 618. Optionally, all garbage collections use thewipe function 618 thereby treating all objects (610, 612, 614) assensitive. However, it should be understood that the garbage collectionmodule 616 may vary the type of objects the wipe function 618 may beused for. For example, the garbage collection module 616 may beconfigured to only use the wipe function 618 upon unreachable sensitiveobjects 610, or only upon unreachable secure objects 612, orcombinations thereof. Moreover, the garbage collection module 616 may beconfigured to use the wipe function 618 upon unreachable objects of oneor more software programs. Such approaches initiate secure garbagecollection in order to prevent unauthorized access to sensitiveinformation. Thus, secure garbage collection is initiated when an object(such as a sensitive object) becomes unreachable rather than only whenmemory becomes scarce.

Many different types of mobile devices may utilize the systems andmethods disclosed herein, such as a wireless device shown in FIG. 7.With reference to FIG. 7, wireless device 900 is preferably a two-waycommunication device having at least voice and data communicationcapabilities. The device 900 preferably has the capability tocommunicate with other computer systems on the Internet. Depending onthe functionality provided by the device, the device 900 may be referredto as a data messaging device, a two-way pager, a cellular telephonewith data messaging capabilities, a wireless Internet appliance or adata communication device (with or without telephony capabilities).

Where the device 900 is enabled for two-way communications, the device900 may incorporate a communication subsystem 911, including a receiver912, a transmitter 914, and associated components such as one or more,preferably embedded or internal, antenna elements 916 and 918, localoscillators (LOs) 913, and a processing module such as a digital signalprocessor (DSP) 920. As will be apparent to those skilled in the fieldof communications, the particular design of the communication subsystem911 will be dependent upon the communication network in which the deviceis intended to operate. For example, a device 900 destined for a NorthAmerican market may include a communication subsystem 911 designed tooperate within the Mobitex mobile communication system or DataTAC mobilecommunication system, whereas a device 900 intended for use in Europemay incorporate a General Packet Radio Service (GPRS) communicationsubsystem 911.

In general, the device 900 may acquire or generate secure and sensitiveinformation through its interaction with cellular networks and theservices the networks provide. Examples of cellular networks andservices they provide include Code Division Multiple Access (CDMA) andGlobal Service Mobile (GSM) networks which provide for the most partvoice and some data services. Voice services are typically compatiblewith plain old telephony service (POTS). Short Messaging Service (SMS)and Wireless Application Protocol (WAP) are available on some cellularnetworks. Data networks, such as MobiTex™, Datatac™, as well as advancednetworks such as General Packet Radio Service (GPRS), and UniversalMobile Telecommunications System (UMTS), may allow an appropriatelyconfigured wireless mobile device to offer data services such as e-mail,web browsing, SMS, WAP, as well as PIM. Future networks may also offervideo services. Thus, sources of sensitive information abound.

Network access requirements will also vary depending upon the type ofnetwork 919. For example, in the Mobitex and DataTAC networks, mobiledevices such as 900 are registered on the network using a uniquepersonal identification number or PIN associated with each device. InGPRS networks however, network access is associated with a subscriber oruser of a device 900. A GPRS device therefore requires a subscriberidentity module (not shown), commonly referred to as a SIM card, inorder to operate on a GPRS network. Without a SIM card, a GPRS devicewill not be fully functional. Local or non-network communicationfunctions (if any) may be operable, but the device 900 will be unable tocarry out any functions involving communications over network 919. Whenrequired network registration or activation procedures have beencompleted, a device 900 may send and receive communication signals overthe network 919. Signals received by the antenna 916 through acommunication network 919 are input to the receiver 912, which mayperform such common receiver functions as signal amplification,frequency down conversion, filtering, channel selection and the like,and in the example system shown in FIG. 7, analog to digital conversion.Analog to digital conversion of a received signal allows more complexcommunication functions such as demodulation and decoding to beperformed in the DSP 920. In a similar manner, signals to be transmittedare processed, including modulation and encoding for example, by the DSP920 and input to the transmitter 914 for digital to analog conversion,frequency up conversion, filtering, amplification and transmission overthe communication network 919 via the antenna 918.

The DSP 920 not only processes communication signals, but also providesfor receiver and transmitter control. For example, the gains applied tocommunication signals in the receiver 912 and transmitter 914 may beadaptively controlled through automatic gain control algorithmsimplemented in the DSP 920.

The device 900 preferably includes a microprocessor 938, which controlsthe overall operation of the device. Communication functions, includingat least data and voice communications, are performed through thecommunication subsystem 911. The microprocessor 938 also interacts withfurther device subsystems such as the display 922, flash memory 924,random access memory (RAM) 926, auxiliary input/output (I/O) subsystems928, serial port 930, keyboard 932, speaker 934, microphone 936, ashort-range communications subsystem 940 and any other device subsystemsgenerally designated as 942.

Some of the subsystems shown in FIG. 7 perform communication-relatedfunctions, whereas other subsystems may provide “resident” or on-devicefunctions. Notably, some subsystems, such as keyboard 932 and display922 for example, may be used for both communication-related functions,such as entering a text message for transmission over a communicationnetwork, and device-resident functions such as a calculator or tasklist.

Operating system software used by the microprocessor 938, which could beelement 110 of FIG. 2 is preferably stored in a persistent store such asflash memory 924, which could be element 80 of FIG. 3 a and may insteadbe a read only memory (ROM) or similar storage element or could be aportion of addressable storage 120 of FIGS. 2, 3 a and 3 b. Thoseskilled in the art will appreciate that the operating system, specificdevice applications, or parts thereof, may be temporarily loaded into avolatile store such as RAM 926, which could be element 20 of FIG. 2. Itis contemplated that received communication signals may also be storedto RAM 926. Flash memory 924 preferably includes data communicationmodule 924B, and when device 900 is enabled for voice communication,voice communication module 924A. For the purposes of this invention, arealso included in flash memory 924 other software modules 924N, whichcould be microprocessor software 140 of FIG. 2.

The microprocessor 938, in addition to its operating system functions,preferably enables execution of software applications on the device. Apredetermined set of applications which control basic device operations,including at least data and voice communication applications forexample, will normally be installed on the device 900 duringmanufacture. A preferred application that may be loaded onto the devicemay be a personal information manager (PIM) application having theability to organize and manage data items relating to the device usersuch as, but not limited to e-mail, calendar events, voice mails,appointments, and task items. Naturally, one or more memory stores maybe available on the device to facilitate storage of PIM data items onthe device. Such PIM application would preferably have the ability tosend and receive data items, via the wireless network. In a preferredembodiment, the PIM data items are seamlessly integrated, synchronizedand updated, via the wireless network, with the device user'scorresponding data items stored or associated with a host computersystem. Further applications may also be loaded onto the device 900through the network 919, an auxiliary I/O subsystem 928, serial port930, short-range communications subsystem 940 or any other suitablesubsystem 942, and installed by a user in the RAM 926 or preferably anon-volatile store (not shown) for execution by the microprocessor 938.Such flexibility in application installation increases the functionalityof the device and may provide enhanced on-device functions,communication-related functions, or both. For example, securecommunication applications may enable electronic commerce functions andother such financial transactions to be performed using the device 900.

In a data communication mode, a received signal such as a text messageor web page download will be processed by the communication subsystem911 and input to the microprocessor 938, which will preferably furtherprocess the received signal for output to the display 922, oralternatively to an auxiliary I/O device 928. A user of device 900 mayalso compose data items such as e-mail messages for example, using thekeyboard 932, which is preferably a complete alphanumeric keyboard ortelephone-type keypad, in conjunction with the display 922 and possiblyan auxiliary I/O device 928. Such composed items may then be transmittedover a communication network through the communication subsystem 911.

For voice communications, overall operation of the device 900 issubstantially similar, except that received signals would preferably beoutput to a speaker 934 and signals for transmission would be generatedby a microphone 936. Alternative voice or audio I/O subsystems such as avoice message recording subsystem may also be implemented on the device900. Although voice or audio signal output is preferably accomplishedprimarily through the speaker 934, the display 922 may also be used toprovide an indication of the identity of a calling party, the durationof a voice call, or other voice call related information for example.

The serial port 930, would normally be implemented in a personal digitalassistant (PDA)-type communication device for which synchronization witha user's desktop computer (not shown) may be desirable, but is anoptional device component. Such a port 930 would enable a user to setpreferences through an external device or software application and wouldextend the capabilities of the device by providing for information orsoftware downloads to the device 900 other than through a wirelesscommunication network. The alternate download path may for example beused to load an encryption key onto the device through a direct and thusreliable and trusted connection to thereby enable secure devicecommunication.

A short-range communications subsystem 940 is a further optionalcomponent which may provide for communication between the device 900 anddifferent systems or devices, which need not necessarily be similardevices. For example, the subsystem 940 may include an infrared deviceand associated circuits and components or a Bluetooth communicationmodule to provide for communication with similarly-enabled systems anddevices.

Having described in detail the preferred embodiments of the presentinvention, including the preferred methods of operation, it is to beunderstood that this operation could be carried out with differentelements and steps. This preferred embodiment is presented only by wayof example and is not meant to limit the scope of the present invention.This written description may enable those skilled in the art to make anduse embodiments having alternative elements that likewise correspond tothe elements of the invention. The intended scope of the invention thusincludes other structures, systems or methods that do not differ fromthe literal language of the description, and further includes otherstructures, systems or methods with insubstantial differences from theliteral language of the description.

1. A method for performing secure garbage collection for sensitiveinformation on a mobile device, comprising the steps of: receiving at amobile device secure information over a wireless network; extractingsensitive information from the secure information; storing the sensitiveinformation in memory of the mobile device; wherein a software programoperating on the mobile device uses a first object to access the storedsensitive information; waiting for a trigger, wherein the trigger is tobe used as an indication to perform a secure garbage collectionoperation determining that a trigger has occurred; if a trigger hasoccurred, requesting that a secure application unreference objects,wherein the first object becomes unreachable due to the secureapplication having unreferenced the first object; determining that thefirst object has become unreachable; based upon the determination thatthe first object has become unreachable, obliterating the unreachablefirst object from the memory; and reclaiming the memory that the firstobject was using.
 2. A method of triggering secure garbage collection ona mobile device, comprising the steps of: waiting for a trigger, whereinthe trigger is to be used as an indication to perform a secure garbagecollection operation determining that a trigger has occurred; if atrigger has occurred, requesting that an application operating on themobile device unreference sensitive objects; and performing securegarbage collection upon the unreferenced sensitive objects, wherein thesecure garbage collection renders sensitive data associated with anunreferenced sensitive object unreadable.
 3. A garbage collection systemfor operation on a mobile device, wherein the mobile device includesmemory for storing at least one object used by a software program toaccess sensitive information stored on the mobile device, comprising: aconfiguration data structure to store information about at least onetriggering event, wherein the triggering event is used as an indicationto perform a secure garbage collection operation; a garbage collectionmodule having a data access pathway to the configuration data structureand to the memory; wherein the garbage collection module is configurableto perform a secure garbage collection operation based upon a detectionof the triggering event, wherein the detection of the triggering eventis performed based upon the information stored in the configuration datastructure; wherein the secure garbage operation includes a determinationthat the object is unreachable and a call to a wipe function withrespect to the unreachable object.
 4. A secure garbage collection systemfor handling sensitive information on a mobile device, comprising: meansfor receiving at a mobile device secure information over a wirelessnetwork; means for extracting sensitive information from the secureinformation; means for storing the sensitive information in memory ofthe mobile device; wherein a software program operating on the mobiledevice uses an object to access the stored sensitive information; meansfor determining that a triggering event has occurred; means fordetermining that the object has become unreachable; means forobliterating the unreachable object from the memory after the object hasbeen determined as unreachable; wherein the obliterated object isrendered unreadable; and means for reclaiming the memory that theunreachable object was using.
 5. A mobile device configurable to performsecure garbage collection, said mobile device comprising: amicroprocessor configurable to execute a software program which handlessensitive information; heap memory for storing at least one object usedby the software program to access the sensitive information; a garbagecollection module operable on the microprocessor and having a dataaccess pathway to the heap memory; wherein the garbage collection moduleis configurable to call a wipe function with respect to the objectstored in heap memory upon a detection that the object in the heapmemory is unreachable.
 6. A method for performing secure garbagecollection involving sensitive information on a mobile device,comprising the steps of: receiving at a mobile device secure informationover a wireless network; extracting sensitive information from thesecure information; storing the sensitive information in memory of themobile device; wherein a software program operating on the mobile deviceuses an object to access the stored sensitive information; determiningthat the object has become unreachable; based upon the determinationthat the object has become unreachable, obliterating the unreachableobject from the memory; and reclaiming the memory that the object wasusing.
 7. The method of claim 6, wherein the mobile device is a personaldigital assistant.
 8. The method of claim 6, wherein the mobile deviceis a mobile communication device.
 9. The method of claim 6, wherein themobile device is a cellular telephone with data messaging capabilities.10. The method of claim 6, wherein the mobile device is a wirelesstwo-way communication device.
 11. The method of claim 6, wherein themobile device is a data messaging device.
 12. The method of claim 6,wherein the mobile device is a two-way pager.
 13. The method of claim 6,wherein the mobile device is a wireless Internet appliance.
 14. Themethod of claim 6, wherein the wireless network includes means forproviding the wireless network.
 15. The method of claim 6, wherein thesecure information is an S/MIME encrypted message.
 16. The method ofclaim 15, wherein the sensitive information is an unencrypted version ofthe S/MIME message.
 17. The method of claim 16, wherein the securemessage was unencrypted by obtaining and applying a private key to theencrypted S/MIME message.
 18. The method of claim 6, wherein thesensitive information arises from use of a Personal InformationManagement (PIM) application.
 19. The method of claim 6, wherein thesensitive information arises from use of the mobile device for voicecommunications.
 20. The method of claim 6, wherein the sensitiveinformation arises from use of the mobile device for videocommunications.
 21. The method of claim 6, wherein the sensitiveinformation arises from use of the mobile device for short messagingservice (SMS) communications.
 22. The method of claim 6, wherein thesensitive information arises from use of the mobile device for e-mailmessaging communications.
 23. The method of claim 6, wherein thesensitive information arises from use of the mobile device for web pagecommunications.
 24. The method of claim 6, wherein the sensitiveinformation arises from use of the mobile device for wireless accessprotocol (WAP) communications.
 25. The method of claim 6, wherein anobject is unreachable when it is not referenced by another object. 26.The method of claim 6, wherein an object is unreachable when it isunreferenced by the software program.
 27. The method of claim 6, whereinan object is unreachable when it is not referenced by any object. 28.The method of claim 6, wherein when the object in the memory is detectedas being unreachable, a wipe function is used in order to securelyreclaim the memory which the object was using.
 29. The method of claim28, wherein a system clipboard is cleaned in addition to theobliteration of the object.
 30. The method of claim 28, wherein at leastsubstantially all garbage collections performed on the mobile device usethe wipe function.
 31. The method of claim 28, wherein all garbagecollections performed on the mobile device use the wipe function therebytreating all objects as sensitive.
 32. The method of claim 6, whereinthe memory stores software programs for operation upon the mobiledevice's microprocessor, wherein a non-native wipe function is used toobliterate the object from the memory.
 33. The method of claim 6,wherein the memory stores software programs for operation upon themobile device's microprocessor, wherein a native wipe function is usedto obliterate the object from the memory.
 34. The method of claim 33,wherein the object is obliterated from the memory by writing over theobject's data in the memory with all zeroes.
 35. The method of claim 33,wherein the object is obliterated from the memory by writing over theobject's data in the memory with all ones.
 36. The method of claim 33,wherein the object is obliterated from the memory by writing over theobject's data in the memory with random data.
 37. The method of claim33, wherein the object is obliterated from the memory in order to thwarta sophisticated memory recovery technique by an attacker.
 38. The methodof claim 6, wherein the memory stores software programs for operationupon the mobile device's microprocessor, wherein a wipe function is usedto obliterate the object from the memory.
 39. The method of claim 38,wherein the software programs include virtual machine software having asecure garbage collector software module capable of using the wipefunction.
 40. The method of claim 39, wherein the virtual machinesoftware is configured to interpret virtual machine instructions foundin the software programs.
 41. The method of claim 39, wherein the memoryincludes dynamically allocable memory for use in storing the object. 42.The method of claim 39, wherein the memory includes heap memory, whereinthe virtual machine software is configured to access objects stored inheap via a reference table.
 43. The method of claim 42, wherein theobject handling the sensitive object is a sensitive object, wherein anobject handling the secure information is a secure object, wherein theheap contains partitions so that sensitive objects are distinguishablefrom secure objects.
 44. The method of claim 43, wherein the secureobjects are stored in non-volatile memory of the mobile device, whereinthe sensitive objects are stored in volatile memory of the mobiledevice.
 45. The method of claim 44, wherein memory addresses of objectsare stored in the reference table so that given an index of an object inthe reference table, the memory address of the object may be obtained.46. The method of claim 45, wherein an object contains within its formatthe object's references to any other objects.
 47. The method of claim46, wherein the reference table allows the object to access otherobjects irrespective of whether they are stored in volatile ornon-volatile memory.
 48. The method of claim 47, wherein the softwareprogram that creates the object is a secure viewer application operatingon the mobile device.
 49. The method of claim 48, wherein the secureviewer application, when executed by the virtual machine software,results in the object being allocated in heap and accessible via itscorresponding entry in the reference table.
 50. The method of claim 49,wherein a viewer object is used to display to a user of the mobiledevice the sensitive information.
 51. The method of claim 50, whereinthe viewer object dynamically generates a sensitive object byauthentication in the secure viewer application.
 52. The method of claim6, wherein decision to obliterate the object and to reclaim the memorythat the object was using is based upon a security consideration. 53.The method of claim 6, wherein decision to obliterate the object and toreclaim the memory that the object was using is based upon a securityconsideration and not based upon amount of memory remaining.
 54. Themethod of claim 6, wherein decision to obliterate the object and toreclaim the memory that the object was using is based upon said stepwhich determines that the object has become unreachable, wherein thedecision is independent of the level of available memory.
 55. The methodof claim 6, wherein decision to obliterate the object and to reclaim thememory that the object was using is based upon said step whichdetermines that the object has become unreachable, wherein the decisionis not performed based upon the amount of memory being lower than apreselected threshold.
 56. The method of claim 6, further comprising thesteps of: determining that a trigger has occurred, wherein the triggeris used as an indication to perform a secure garbage collectionoperation; based upon receiving the trigger, requesting that a secureapplication unreference the application's sensitive objects; determiningthat a sensitive object has been unreferenced by the secure application;based upon the determination that the sensitive object has beenunreferenced, obliterating the unreferenced object from memory.
 57. Themethod of claim 56, wherein a plurality of objects are obliterated basedupon a determination that a plurality of sensitive objects have beenunreferenced by the secure applications, wherein the type of trigger isused to determine how garbage collection is to be performed.
 58. Themethod of claim 56, wherein a plurality of secure applications arerequested to unreference their respective sensitive objects.
 59. Themethod of claim 56, wherein a parameter associated with the trigger isloaded from a configuration file, wherein the parameter is used in thedetermining that a trigger has occurred.
 60. The method of claim 56,wherein the configuration file specifies that all unreferenced objectsare to be treated as sensitive objects.
 61. The method of claim 56,wherein the trigger includes trigger means.
 62. The method of claim 56,wherein the trigger occurs based upon a preselected event occurring. 63.The method of claim 62, wherein the event is timeout event which occurswhen the mobile device is idle for a preselected time.
 64. The method ofclaim 62, wherein the event is a cradled event.
 65. The method of claim64, wherein the cradled event occurs when the mobile device is placed inor removed from the mobile device's cradle.
 66. The method of claim 62,wherein the event is a holstered event.
 67. The method of claim 66,wherein the holstered event occurs when the mobile device is placed inor removed from the mobile device's holster.
 68. The method of claim 62,wherein the event is a screen lock event.
 69. The method of claim 62,wherein the event is a user lock event.
 70. The method of claim 62,wherein the event is an application event.
 71. The method of claim 70,wherein the application event includes when a viewer has stoppeddisplaying a sensitive object.
 72. The method of claim 71, wherein aconfiguration parameter is used to age a decrypted message beforecausing a trigger to be generated.
 73. The method of claim 72, whereinthe aging of a decrypted message is used to give the mobile device'suser an opportunity to view a message, close it, and re-open it within apreselected time out period.
 74. The method of claim 62, wherein theevent is a roll back trigger event.
 75. The method of claim 74, whereinthe roll back trigger event occurs when the mobile device's system clockor a time zone has been altered.
 76. The method of claim 62, wherein theevent is a transceiver-based event.
 77. The method of claim 76, whereinthe transceiver-based event occurs if the mobile device communicatesover the wireless network.
 78. The method of claim 56, wherein basedupon the determining of the trigger, requesting that a secureapplication unreference the application's non-sensitive objects.
 79. Themethod of claim 56, wherein the secure garbage collection operationincludes obliterating the unreferenced sensitive objects.
 80. The methodof claim 79, wherein the secure garbage collection operation includesreclaiming memory that was used by the unreferenced sensitive objects.81. The method of claim 6, further comprising the steps of: determiningthat a trigger has occurred, wherein the trigger is used as anindication to perform a secure garbage collection operation; based uponreceiving the trigger, requesting that a secure application unreferencethe application's sensitive objects; and performing a secure garbagecollection operation upon the unreferenced sensitive objects.
 82. Themethod of claim 6, further comprising the steps of: waiting for atrigger before performing a secure garbage collection operation;determining that a trigger has occurred, wherein the trigger is used asan indication to perform a secure garbage collection operation; basedupon receiving the trigger, requesting that a secure applicationunreference the application's sensitive objects; and performing a securegarbage collection operation upon the sensitive objects unreferenced bythe application.
 83. The method of claim 6, further comprising the stepsof: waiting for a trigger before performing a secure garbage collectionoperation; determining that a trigger has occurred, wherein the triggeris used as an indication to perform a secure garbage collectionoperation; based upon receiving the trigger, requesting that secureapplications unreference the applications' sensitive objects; andperforming a secure garbage collection operation upon the sensitiveobjects unreferenced by the applications.